Name | CVE-2023-43665 |
Description | In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | ELA-1101-1 |
Debian Bugs | 1053475 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
python-django (PTS) | jessie, jessie (lts) | 1.7.11-1+deb8u17 | vulnerable |
| stretch (security) | 1:1.10.7-2+deb9u17 | vulnerable |
| stretch (lts), stretch | 1:1.10.7-2+deb9u23 | fixed |
| buster, buster (lts) | 1:1.11.29-1+deb10u12 | vulnerable |
| buster (security) | 1:1.11.29-1+deb10u11 | vulnerable |
| bullseye (security), bullseye | 2:2.2.28-1~deb11u2 | vulnerable |
| bookworm (security), bookworm | 3:3.2.19-1+deb12u1 | vulnerable |
| trixie | 3:4.2.16-1 | fixed |
| sid | 3:4.2.17-1 | fixed |
The information below is based on the following data on fixed versions.
Notes
[bookworm] - python-django <postponed> (Minor issue, fix along in future update)
[bullseye] - python-django <postponed> (Minor issue, fix along in future update)
[buster] - python-django <postponed> (Minor issue, fix along in future update)
https://www.openwall.com/lists/oss-security/2023/10/04/6
https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
https://github.com/django/django/commit/17b51094d778b421bb2b3aae0c270894b050455d (main)
https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473 (4.2.6)
https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5 (3.2.22)
[jessie] - python-django <postponed> (Minor issue, fix along in future update)